Cultivating Leadership and Security for the Future of FOIA
The second in a series of conversations with Michael Sarich, former Director of FOIA at the Department of Veterans Affairs.
by David Pemberton
While integrating purpose-built AI tools is essential to keeping pace with soaring public records demands, technology alone can’t solve the problem. True modernization requires navigating scalable security frameworks, cultivating resilient leadership, and fixing systemic records management issues long before a document ever reaches the records request pipeline.
In the conclusion of this two-part series, Michael Sarich, former Director of FOIA at the Department of Veterans Affairs and a 2025 Fed100 IT Winner, breaks down the realities of secure AI implementation, the launch of FOIA University, and how to build a defensible infrastructure that stands the test of time.
What are some recent examples of AI tools that you think are the most effective, and what future uses for AI are you excited to explore?
The tools that work in FOIA today are the ones that solved a real workflow problem at scale. Three categories are operational now, not experimental, and the procurement window for each is open.
FedRAMP-authorized generative AI for review and summarization is the most consequential recent milestone. Everlaw's authorization mattered because it gave federal agencies a path to use AI-assisted document review without an exception process — the conversation moved from "should we try this" to "how fast can we deploy this."
Predictive coding for exemption-likelihood scoring is defensible enough to be standard practice on large productions. Clustering for related-records identification finds the connections in big document sets that human reviewers will miss every time, no matter how disciplined the linear review. These are not “nice-to-haves,” they’re the operational baseline for any agency processing at scale.
Looking forward, the category I am most excited about is agentic FOIA, workflows where AI is not just summarizing or suggesting but actually moving requests through the pipeline within defined guardrails. The human stays in the loop on the decisions that matter, and the AI carries the work that isn’t as consequential. Done right, that is not a 10% productivity gain. It’s a structural change in how a FOIA shop operates.
I’m also watching the long-promised, finally-arriving capability of LLM-assisted scope dialogue. Better OCR (optical character recognition) and handwriting recognition for legacy records, which is a real bottleneck for any agency with paper in its history.
And then there’s going to be a convergence between records management platforms and FOIA platforms, which is the next product category the market hasn’t fully named yet but is clearly building toward.
You’ve mentioned before that “The question nobody's asking loud enough about FedRAMP is whether that gate is keeping the right vendors in and the right vendors out.” Do you feel that the current authorization process is sufficient? In other words, is the gate working?
FedRAMP serves a real purpose. It sets a baseline for cloud security in federal environments, and that baseline matters. Agencies handle some of the most sensitive personal information in the country, and the standards have to be high. The gate is working as a security baseline. It’s failing as innovation infrastructure, and the cost of that failure now lands on agencies, not just on vendors.
There are two structural problems. First, cost. A FedRAMP High authorization runs north of two million dollars and takes anywhere between 12 and 18 months. Startups with the best technology can’t absorb that, so the federal AI vendor market becomes a club for the incumbents who can. We’re gating innovation by capital, not by capability.
Second, sponsor-agency dynamics distort the market. The vendors with existing federal relationships have an enormous head start that has nothing to do with product quality. New entrants face a procurement environment structured against them, and the agencies that need new capability face a vendor pool narrower than the actual market.
The deeper issue is speed. FedRAMP was designed for an era when enterprise software shipped major updates quarterly. Now, frontier AI models ship significant capability updates weekly. By the time a tool clears the gate, the underlying model has moved through multiple generations. Federal agencies end up authorized to use last year's AI while the commercial market is two years ahead. Every month the gate moves slowly, the gap between federally-authorized capability and commercial benchmark widens.
The cost of that gap is borne by the agencies that need the capability and can’t procure it, which is to say, the cost lands on the public the agencies serve.
The right reform is tiered, modular authorization that preserves the security envelope while letting underlying model components update faster. FedRAMP 20x is the right direction. It needs to land. The gate is not the wrong idea. The mechanism needs to catch up with what it is gating, or federal agencies are going to be the last institutions in the country running stale AI, which is the opposite of what the gate was designed to produce.
I’m interested in talking more about FOIA University and its mission to train the next generation of FOIA leaders. First, what qualities do you think make a strong FOIA leader?
I noticed that for FOIA there’s training but no core curriculum. So, for FOIA University, there’s three levels.
The first track gives you everything you need to know so that you can walk into a FOIA shop with full confidence. What slows FOIA the most is a lack of confidence. Everyone wants to feel like they know what they're doing, but they don't, and it’s unfair for us in the federal space to think someone will do that.
I didn’t know anything until I did my first 200 cases, and I was slow. If I had had the training in this area I would have gone in with a lot of confidence and I wouldn’t have wasted so much time, I would have been able to contribute faster. As we see headcount drop, we don’t have that time anymore, we don’t have that luxury. With training like this I think we can make this happen.
In terms of the qualities that make a strong FOIA leader, there’s three that come to mind, in order of how often they get overlooked.
The first is operational fluency. A FOIA leader has to have actually processed requests, not just managed people who do. That now includes fluency with the modern toolkit, not as a power user, but enough to evaluate what the tools can and can’t do, to set realistic timelines, and to defend processing decisions to litigators. The leaders who stop learning the tools stop being able to lead the work.
Next is coalition-building. FOIA is the most cross-functional function in any agency. It touches legal, records, IT, communications, and every program office. The leaders who succeed are the ones who can build standing relationships across those silos before they need anything from them, which now includes the IT and procurement relationships that determine whether the agency gets the modern tools at all.
Finally, it's political resilience. FOIA leaders get squeezed from both directions, by requesters wanting more, and by leadership wanting less drama. The ones who last are the ones who can take both pressures without breaking, and without losing sight of the mission.
Do you see a new generation coming up? What advice do you have for them?
Yes, and it is smaller than it should be. Workforce reductions hit FOIA shops hard, and the Deferred Resignation Program took out a layer of mid-career practitioners who would have been the next generation's mentors. We lost institutional knowledge that will not come back easily.
But there are sharp people coming up who get the technology and care about the mission, and the field has more public infrastructure to support them than it had ten years ago.
The advice I give boils down to four things. First, get credentialed. The field is finally building the kind of professional training infrastructure other disciplines have, and FOIA University is part of that.
Second, build a network outside your agency, because the lessons that matter most are the ones your supervisor can’t teach you. Also, don’t forget to learn the tools, including the ones your agency doesn’t use yet, because the procurement window will open faster than you expect, and the people fluent on day one will lead day two.
And finally, find a mentor who is not your supervisor. Your supervisor knows your job. Your mentor knows your career.
How has the FOIA process modernized in the past year? What areas still need modernization?
AI-assisted review is real and FedRAMP-authorized on multiple platforms, which means it’s in procurement reach for agencies that want it. Requester portals have expanded from a handful of leading agencies to an expected baseline. Just five years ago, "can the requester see the status of their request" was a frontier question; now it’s table stakes.
And vendor accountability infrastructure has matured. The NexGen showcases, public RFI processes, and community-driven vendor diligence have moved the procurement conversation from marketing-led to evidence-led. Agencies now have actual information when they make decisions.
What still needs modernization is records management upstream of FOIA. This is the biggest gap in the field. FOIA can’t be better than the records it processes, and most agencies still treat records management as a compliance afterthought rather than an operational design requirement.
The good news is that the tooling to fix this exists. Modern records platforms with AI-aware metadata, retention enforcement, and lifecycle integration are real products. The bad news is that the procurement category has not yet converged with FOIA tooling, so agencies are buying point solutions instead of integrated platforms.
If you had a magic wand, what would you change about the FOIA and public records request process?
If I had one change to make, I would treat records management upstream of FOIA as a first-class priority. If every agency designed its records environment for findability from day one, I’m talking about email, Teams, Slack, SharePoint, every channel where federal work actually happens, then FOIA processing time would drop by half before any new platform touched the workflow.
The tools are mature. AI-aware records platforms with metadata enrichment, retention enforcement, and lifecycle visibility are real procurement options in 2026. They weren’t a decade ago. What used to be a multi-year infrastructure build is now a procurement decision and a governance commitment.
The wand wouldn’t change the technology. The technology is ready. The wand would change the time horizon over which agency leadership is willing to invest in their own operational backbone. The benefits accrue to future requesters and to leadership two or three administrations from now, while the costs land on the current budget cycle.
That’s the politics of long-horizon infrastructure, and it’s the one thing the market alone can’t solve. The capability is in the building. The will is what we’re still short on. Get both, and FOIA stops being a transparency battleground and becomes what it was always meant to be, the connective tissue between the public and the work being done in its name.
Overall, why is FOIA an important aspect of the relationship between citizens and the government?
I fundamentally believe that FOIA does a lot of things, but the most important thing it does is it grows trust in our institutions. Where AI really helps, where it becomes a force multiplier, is on the speed front. If we’re able to leverage AI for speed and accuracy, and I believe we have to do both, then we’re able to get our citizens answers quickly, then that trust will increase.
Delays make people think that the government is hiding something, and that’s where conspiracy theories pop up. But the truth is, the people working in public records and FOIA requests are overworked, but they’re still trying to answer requests as best they can.
When you see projects where the estimated completion date is 26 years, it’s really just pointless, justice delayed is justice denied. The people have a right to infer what they would like from that delay, and it’s perfectly reasonable to be angry if you are a citizen and your government, who you’re paying, tells you the information you want is going to be delayed.
The truth is, we’re not going to live forever. So we have to get people the information they want in a timely way. And as I like to say, sunlight is the best disinfectant. If officials in office know that information will go out during their term, it will most likely incentivize them to continue to be good actors. If an official knows that records and FOIA requests get answered quickly, then the angel on their right shoulder is going to prevail over the devil on the left.
But if you ask me, it’s the speed and the accuracy, that’s how we improve trust.
This is part two of a two-part interview. The first entry in this series can be found here.
To learn more about how Everlaw can help government agencies speed up response times for FOIA or Public Records requests, request a demo today.
David Pemberton is an associate content marketer at Everlaw. His writing explores the influence of emerging technologies on the practice of law. See more articles from this author.